Connecting to Sessions
This topic describes how to connect to bastion sessions.
For information specifically about how to create and manage bastion sessions, see Managing Sessions. For information about creating and managing bastions, see Managing Bastions.
Bastions are Oracle-managed services. You use a bastion to create Secure Shell (SSH) sessions that provide access to other private resources. But you can't connect directly to a bastion with SSH and administer or monitor it like a traditional host.
When connecting to a bastion session, we recommend that you follow the SSH best practices described in Securing Bastion.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
To use all Bastion features, you must have the following permissions:
- Manage bastions, sessions, and networks
- Read compute instances
- Read compute instance agent (Oracle Cloud Agent) plugins
- Inspect work requests
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
If you're new to policies, see Getting Started with Policies and Common Policies.
Allowing Network Access From the Bastion
The VCN (virtual cloud network) that the target resource was created in must allow incoming network traffic from the bastion on the target port.
For example, if you want to use a session to connect to port 8001
on a compute instance from a bastion with the IP address 192.168.0.99
, then the subnet used to access the instance needs to allow ingress traffic from 192.168.0.99
on port 8001
.
To learn more, see Security Lists.
Connecting to a Managed SSH Session
To connect to a compute instance using a Managed SSH session
Before you begin, you must create a Managed SSH session to the target instance .
- You must have the private key file of the SSH key pair that you used to create the session.
- The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
- The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.
To connect to a Managed SSH session:
Connecting to a Port Forwarding Session
To connect to the SSH server on a compute instance
Before you begin, you must create a Port Forwarding session
(also known as an SSH tunnel) to the SSH server on the instance , which by default is port
22
.
- You must have the private key file of the SSH key pair that you used to create the session.
- The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
- The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.
You can use a port forwarding session to connect to instances that don't meet all requirements for a Managed SSH session.
To connect to Windows using the Remote Desktop Protocol (RDP)
Before you begin, you must create a Port Forwarding session
(also known as an SSH tunnel) to the RDP port on the Windows instance , which by default is port
3389
.
- You must have the private key file of the SSH key pair that you used to create the session.
- The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
- The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.
To create the SSH tunnel using PuTTY instead of OpenSSH (the ssh
command), see To connect to Windows using RDP and PuTTY.
To connect to a Windows instance using an RDP client and a Port Forwarding session:
To connect to Windows using RDP and PuTTY
Before you begin, you must create a Port Forwarding session
(also known as an SSH tunnel) to the RDP port on the Windows instance , which by default is port
3389
.
- You must have the private key file of the SSH key pair that you used to create the session.
- The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
- The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.
PuTTY is an open source SSH client for Windows. You must specify a private key file that is in PuTTY's proprietary format (.ppk
). You can use the PuTTYgen tool to import and convert a key from OpenSSH format.
To connect to a Windows instance using PuTTY, an RDP client, and a Port Forwarding session:
To connect to an Autonomous Transaction Processing Database
Before you begin, you must create a Port Forwarding session
(also known as an SSH tunnel) to the database port, which by default is port 1521
.
- You must have the private key file of the SSH key pair that you used to create the session.
- The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
- The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.
To connect to an Oracle Database using a Port Forwarding session:
To connect to a MySQL DB System
Before you begin, you must create a Port Forwarding session
(also known as an SSH tunnel) to the database port, which by default is port 3306
.
- You must have the private key file of the SSH key pair that you used to create the session.
- The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
- The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.
To connect to a MySQL DB System using a Port Forwarding session: